This analytic rule is designed to detect suspicious search behavior within O365 SharePoint by identifying users who perform an excessive number of search queries or search for keywords commonly associated with credential theft or unauthorized access attempts. By analyzing the Office 365 Universal Audit Log, the rule captures search queries that contain certain keywords and tracks a user's query count over a specified timeframe. If a user exceeds a threshold of 20 search queries or posts specific sensitive keywords (e.g., 'password', 'credential'), the system flags this as potentially malicious behavior. This may indicate an active enumeration of SharePoint data by a malicious actor within the O365 environment. Security teams can customize the rule to better fit their organizational risk profile and address potential false positives effectively.